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Independent Orbiter Assessment 
Analysis of the Electrical Power Generation/Fuel 
Cell Powerplant Subsystem 


1.0 EXECUTIVE SUMMARY 

The McDonnell Douglas Astronautics Company ( MDAC ) was selected in 
June 1986 to perform an Independent Orbiter Assessment (IOA) of 
the Failure Modes and Effects Analysis ( FMEA ) and Critical Items 
List (CIL). Direction was given by the STS Orbiter and GFE 
Projects Office to perform the hardware analysis using the 
instructions and ground rules defined in NSTS 22206 , Instructions 
for Preparation of FMEA and CIL, 10 October 1986 . The IOA 
approach features a top-down analysis of the hardware to 
determine failure modes, criticality, and potential critical 
items. To preserve independence, this analysis was accomplished 
without reliance upon the results contained within the NASA 
FMEA/ CIL documentation. This report documents (Appendix C) the 
independent analysis results corresponding to the Orbiter 
Electrical Power Generation (EPG)/Fuel Cell Powerplant (FCP) 
hardware . 

The EPG/FCP hardware is required for performing functions of 
electrical power generation and product water distribution in the 
Orbiter. Specifically, the EPG/FCP hardware consists of the 
following divisions: 

o Power Section Assembly (PSA) 
o Reactant Control Subsystem (RCS) 
o Thermal Control Subsystem (TCS) 
o Water Removal Subsystem (WRS) 

The IOA analysis process utilized available EPG/FCP hardware drawings 
and schematics for defining hardware assemblies, components, and 
hardware items . Each level of hardware was evaluated and 
analyzed for possible failure modes and effects. Criticality was 
assigned based upon the severity of the effect for each failure 
mode. 

Figure 1 presents the failure criticalities for the four major 
divisions of the two FCP assemblies. A summary of the number of 
failure modes, by criticality, is also presented below with 
Hardware (HW) criticality first and Functional (F) criticality 
second. 


-i — — 1- 

I Summary of IOA Failure Modes By Criticality (HW/F) I 


Criticality : 

1/1 

2/1R 

2/2 

3/1R 

3/2R 

3/3 

TOTAL 

Number : 

3 

26 

- 

10 

4 

19 

62 
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EPG/FCP OVERVIEW 
ANALYSIS SUMMARY 


EPG/FCP 

ANALYSIS SUMMARY 

CRIT /FM 

#PCI 

CRIT #FM #PCI 

1/1 3 

3 

3/2R 4 3 

2/1R 26 

26 

3/3 19 NA 

3/1R 10 

0 




POWER SECTION 


ASSESSORY SECTION 


REACTANT CONTROL 

SUBSYSTEM 

CRIT 

/FM #PCI 

1/1 

1 1 

2/1R 

7 7 

3/1R 

3 0 

3/3 

6 NA 


THERMAL CONTROL 

SUBSYSTEM 

CRIT 

/FM /PCI 

2/1 R 

5 5 

3/1 R 

2 0 

3/3 

4 NA 


POWER SECTION 
ASSEMBLY 
CRIT #FM #PCI 

1/1 2 2 

2/1R 5 S 

3/3 1 NA 


WATER 

REMOVAL 

SUBSYSTEM 

CRIT 

/FM 

/PCI 

2/1 R 

9 

9 

3/1R 

4 

0 

3/2R 

4 

3 

3/3 

9 

NA 


CRIT - CRITICALITY 

FM - FAILURE MODE 

PCI - POTENTIAL CRITICAL ITEM 

NA - NOT APPLICABLE 


Figure 1 - EPG/FCP OVERVIEW ANALYSIS SUMMARY 
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For each failure mode identified, the criticality and redundancy 
screens were examined to identify critical items. A summary of 
Potential Critical Items (PCIs) is presented as follows: 




j Summary of IOA Potential Critical Items (HW/F) j 


Criticality: 

1/1 

2/1R 

2/2 

3/1R 

3/2R 

TOTAL 

Number : 

3 

26 

- 

- 

3 

32 
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2 . 0 INTRODUCTION 


2 . 1 Purpose 

The 51-L Challenger accident prompted the NASA to readdress 
safety policies, concepts, and rationale being used in the 
National Space Transportation System (NSTS). The NSTS Office has 
undertaken the task of reevaluating the FMEA/CIL for the Space 
Shuttle design. The MDAC is providing an independent assessment 
of the Orbiter FMEA/CIL for completeness and technical accuracy. 


2.2 Scope 

The scope of the independent FMEA/CIL assessment activity 
encompasses those Shuttle Orbiter subsystems and GFE hardware 
identified in the Space Shuttle Independent FMEA/CIL Assessment 
Contractor Statement of Work. Each subsystem analysis addresses 
hardware, functions, internal and external interfaces, and 
operational requirements for all mission phases. 


2.3 Analysis Approach 

The independent analysis approach is a top-down analysis 
utilizing as-built drawings to breakdown the respective subsystem 
into components and low-level hardware items . Each hardware item 
is evaluated for failure mode, effects, and criticality. These 
data are documented in the respective subsystem analysis report, 
and are used to assess the NASA and Prime Contractor FMEA/CIL 
reevaluation results. The IOA analysis approach is summarized in 
the following Steps 1.0 through 3.0. Step 4.0 summarizes the 
assessment of the NASA and Prime Contractor FMEAs/CILs that is 
performed and documented at a later date. 


Step 1.0 Subsystem Familiarization 

1.1 Define subsystem functions 

1.2 Define subsystem components 

1.3 Define subsystem specific ground rules and 
assumptions 

Step 2.0 Define subsystem analysis diagram 

2.1 Define subsystem 

2.2 Define major assemblies 

2 . 3 Develop detailed subsystem representations 

Step 3.0 Failure events definition 

3.1 Construct matrix of failure modes 

3.2 Document IOA analysis results 
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Step 4.0 Compare IOA analysis data to NASA FMEA/CIL 

4.1 Resolve differences 

4 . 2 Review in-house 

4.3 Document assessment issues 

4.4 Forward findings to Project Manager 


2.4 EPG/FCP Ground Rules and Assumptions 

The EPG/FCP ground rules and assumptions used in the IOA are 
defined in Appendix B. 
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3.0 SUBSYSTEM DESCRIPTION 

3.1 Design and Function 

The EPG/FCP consists of hardware that is required for electrical 
power generation and Fuel Cell (FC) product water collection and 
distribution in the Orbiter. Reference Figures 2 and 3. The 
EPG/FCP consists of the following divisions: 

1. The Power Section Assembly (PSA) which is also called 
Cell Stack Assembly (CSA) combines hydrogen and oxygen 
through an electrochemical conversion to produce 
electrical power, water, and heat. Each PSA cell stack 
consists of cell plates, pressure plates, end cell 
heater/ insulator plates, tie rods, and individual cell 
voltage harness. Each cell plate is made up of Unitized 
Electrode Assembly (UEA) and separator plates. The cell 
stack consists of 96 cell plates grouped electrically 
into three substacks connected in parallel . The 
substack contains 32 cell plates connected electrically 
in series. The PSA also contains a cell performance 
monitor which provides continuous analog data outputs to 
the Orbiter. The outputs transmit individual cell 
performance problems or imminent failures. Reference 
Figure 4 . 

2. The Reactant Control Subsystem (RCS) consists of 
preheaters, coupled reactant regulator, hydrogen pump- 
separator, condenser, hydrogen/water purge/vent line and 
oxygen purge/vent line. The RCS heats cryogenic- 
temperature gaseous reactants (oxygen and hydrogen) from 
the Power Reactant Storage and Distribution System 
(PRSDS) to an acceptable temperature for delivery to the 
coupled reactant regulator. The RCS delivers reactant 
gases to the PSA on demand and controls the reactant 
pressure within the cell plates. The RCS provides for 
purging of inert gases from reactant lines. The RCS 
circulates hydrogen for water removal from the PSA and 
also prevents water from entering the PSA. Reference 
Figure 5 . 

3. The Thermal Control System (TCS) contains a coolant 
pump, thermal control valve, coolant accumulator, 
start/sustaining heater, and condenser. The TCS 
controls the FCP operating temperatures and electrolyte 
concentration. The TCS removes waste heat from the PSA 
and heat from the moist hydrogen recycle flow to 
condense water vapor. The TCS transfers heat to the 
inlet reactant gases passing through preheaters and 
rejects heat to the Orbiter vehicle cooling system. 
Reference Figure 6. 

4. The Water Removal Subsytem (WRS) consists of a 
condenser, hydrogen pump-separator, water purity sensor. 
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water trap and water discharge line. The WRS removes 
water produced in the PSA during the FCP operation. The 
FCP produces water vapor which is converted to a liquid 
in the condenser. The hydrogen pump-separator 
centrifugally separates the water from the hydrogen. 

The WRS delivers the water to the Orbiter vehicle 
potable water storage system or to the water relief 
line. Reference Figure 7. 

3 . 2 Interfaces and Locations 

The three EPG/FCPs are installed in the mid-body of the Orbiter 
beneath the payload bay liner. Fuel Cell 1 (FC1) is located on 
the left-hand side of the payload bay. Whereas, FC2 and FC3 are 
located forward and aft respectively, on the right-hand side of 
the payload bay. Reference Figure 8. The FCPs PSA receives 
the hydrogen and oxygen reactants from the Power Reactants 
Stowage and Distribution System (PRSDS). The product water from 
the PSA is transported to the Environmental Control and Life 
Support System (ECLSS) for stowage. The waste heat produced by 
the PSA is rejected to the Orbiter vehicle cooling system through 
the FC40 coolant in the TCS. The FCP receives three phase AC 
electrical power from the Orbiter to power the coolant pump, 
hydrogen pump-separator, and the water purity sensor. The FCP 
generates DC electrical power which is distributed to the Orbiter 
electrical power system. Reference Figure 9. 


3 . 3 Hierarchy 

Figures 2 and 3 illustrate the hierarchy of the EPG and FCP 
systems, respectively. The FCP subsystems are depicted in 
Figures 4 through 7 . 
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Figure 2 - EPG SUBSYSTEM OVERVIEW 


ELECTRICAL POWER GENERATION SUBSYTEM OVERVIEW 



□ EPG INTERFACE BUT NOT 

CONSIDERED IN THIS ANALYSIS 




Figure 3 - FCP SUBSYSTEM OVERVIEW 


FUEL CELL POWER PLANT SUBSYSTEM OVERVIEW 





Figure 4 - FCP POWER SECTION ASSEMBLY (PSA) 


FCP POWER SECTION ASSEMBLY 
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Figure 5 - FCP REACTANT CONTROL SUBSYSTEM (RCS) 
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Figure 6 - FCP THERMAL CONTROL SUBSYSTEM (TCS 



Figure 


FCP WATER REMOVAL SUBSYSTEM 










Figure 8 - FCP LOCATION IN THE ORBITER VEHICLE 


FUEL CELL POWERPLANT 

LOCATION IN THE ORBITER VEHICLE 


FC2 



O Three Orbiter FCP’s installed in the Orbiter vehicle mid -body beneath 
the payload liner 

- FC1 installed on left-hand side 

- FC2 installed forward on right-hand side 

- FC3 installed aft on right-hand side 







4 . 0 ANALYSIS RESULTS 


Detailed analysis results for each of the identified failure 
inodes are presented in Appendix C. Table I presents a summary of 
the failure criticalities for each of the four major subdivisions 
of the EPG/Fuel Cell. Further discussion of each of these 
subdivisions and the applicable failure modes is provided in 
subsequent paragraphs . 


+ ■ — + 

| TABLE I Summary of IOA Failure Modes and Criticalities ] 


Criticality : 

1/1 

2/1R 

2/2 

3/1R 

3/2R 

3/3 

TOTAL 

PSA 

2 

5 

- 

1 

- 

- 

8 

RCS 

1 

7 

- 

3 

- 

6 

17 

TCS 

- 

5 

- 

2 

- 

4 

11 

WRS 

- 

9 

- 

4 

4 

9 

26 

TOTAL 

3 

26 

- 

10 

4 

19 

62 


Of the 62 failure modes analyzed, 32 failures were determined to 
be PCIs. A summary of the PCIs is presented in Table II. 
Appendix D presents a cross reference between each PCI and a 
specific worksheet in Appendix C. 


H + 

| TABLE II Summary of IOA Potential Critical Items ! 


Criticality : 

1/1 

2/1R 

2/2 

3/1R 

3/2R 

TOTAL 

EPG/FPC 

3 

26 

- 

- 

3 

32 


4.1 Analysis Results PSA 

The Power Section Assembly consists of the end cell 
heater/insulator plates, pressure plates, tie rods, individual 
cell voltage harness, cell performance monitor, and separator 
plates . These components are illustrated in Figure 4 . There 
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were eight failure modes identified for this division. Of these 
eight, two are criticality 1/1, five are criticality 2/1R, and 
one is criticality 3/1R. Seven failures from the PSA are 
identified to be PCI's. These are listed in Appendix D. 


4.2 Analysis Results RCS 

The Reactant Control Subsystem consists of preheaters, coupled 
reactant regulator, hydrogen pump spearator, condenser, 
hydrogen/water purge vent line and oxygen purge/vent line. These 
components are illustrated in Figure 5. There were seventeen 
failure modes identified for the RCS division. Of these 
seventeen, one is criticality 1/1, seven are criticality 
2/1R , three are criticality 3/1R, and six are criticality 3/3. 
Eight failures from the RCS are identified to be PCI's. These 
are listed in Appendix D. 


4.3 Analysis Results TCS 

The Thermal Control Subsystem contains a coolant pump, thermal 
control valve, coolant accumulator, start/sustaining heater and 
condenser. These components are illustrated in Figure 8. There 
were eleven failure modes identified for the TCS division. Of 
these eleven, five are criticality 2/1R, two are criticality 
3/1R, and four are 3/3. Five failures from the TCS are 
identified to be PCI's. These are listed in Appendix D. 


4.4 Analysis Results WRS 

The Water Removal Subsystem consists of a condenser, hydrogen 
pump-separator, water trap and water discharge line. These 
components are illustrated in Figure 9 . There were twenty-six 
failure modes identified for the WRS division. Of these twenty- 
six, nine are criticality 2/1R, four are criticality 3/1R, 
four are criticality 3/2R, and nine are criticality 3/3. Twelve 
failures from the WRS are identified to be PCI's. These are 
listed in Appendix D. 
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MC 

464-0115 

b. 

ME 

363-0042-0003 

c . 

MC 

284-0431-0001 

d. 

ME 

284-0475-0001 

e . 

MC 

363-0037-0001 

f . 

MC 

363-0038-0014 

g* 

MC 

363-0038-0001-0004 

h. 

MC 

363-0038-0003-0004 

i . 

MC 

363-0037-0002 

j • 

MC 

363-0038-0006 

k . 

ME 

449-0160-0003 


Fuel Cell 

Water Nozzle & Heater 
Assembly 

Water Pressure Relief Valve 
Water Supply Check Valve 
Strip Heater EPG 
Line Heater H20 Relief Vent 
Line 

Line Heater Oxygen Purge Line 
Line Heater Hydrogen Purge 
Line 

Strip Heater Hydrogen Purge 
Port 

Line Heater, FCP Product 
Water Line 

Temperature Sensors for 
Product Water Line, Water 
Relief Valve, Coolant Return, 
Oxygen Vent Line, Hydrogen 
Vent Line and Water Relief 
Line 
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d. VS70-450-119 

e. V070-454-765 


Orbiter Fuel Cell Control Subsystem 
Orbiter Fuel Cell Control Subsystem 
Orbiter Fuel Cell Control Subsystem 
Orbiter Fuel Cell Control Subsystem 
Panel - Water Relief Assembly 
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l. 770598-99 Components Assembly - Fuel Cell 

m. 782900 Power Plant Assembly - Fuel Cell ( 

n. 787900 Power Plant Assembly - Fuel Cell 

o. 788400 Power Plant Assembly - Fuel Cell * 
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APPENDIX A 
ACRONYMS 


AOA 

ATO 

CIL 

CPM 

CRIT 

CSA 

C&W 

ECLSS 

EPA 

EPG 

EPS 

F 

FC 

FCP 

FMEA 

FSSR 

GFE 

HW 

IFC 

IOA 

MDAC 

NASA 

NSTS 

NA 

OMRSD 

PCI 

PRCB 

PRSDS 

PSA 

RCS 

RI 

RTLS 

SM 

STS 

TAL 

TCS 

UEA 

WRS 


Abort Once Around 

Abort To Orbit 

Critical Items List 

Cell Performance Monitor 

Criticality 

Cell Stack Assembly 

Caution and Warning System 

Environmental Control and Life Support System 

Environmental Protection Agency 

Electrical Power Generation 

Electrical Power System 

Functional 

Fuel Cell 

Fuel Cell Powerplant 
Failure Mode and Effect Analysis 
Flight System Software Requirement 
Government Furnished Equipment 
Hardware 

International Fuel Cells 
Independent Orbiter Assessment 
McDonnell Douglas Astronautics Company 
National Aeronautics and Space Administration 
National Space Transportation System 
Not Applicable 

Operations and Maintenance Requirements and Specification 
Document 

Potential Critical Item 

Program Requirements Control Board 

Power Reactant Storage & Distribution System 

Power Section Assembly 

Reactant Control Subsystem 

Rockwell International 

Return To Landing Site 

System Management 

Space Transportation System 

Transatlantic Abort Landing 

Thermal Control Subsystem 

Unitized Electrode Assembly 

Water Removal Subsystem 
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APPENDIX B 


DEFINITIONS, GROUND RULES, AND ASSUMPTIONS 


B.l Definitions 

B.2 Project Level Ground Rules and Assumptions 
B.3 Subsystem-Specific Ground Rules and Assumptions 
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APPENDIX B 

DEFINITIONS, GROUND RULES, AND ASSUMPTIONS 


B.l Definitions 

Definitions contained in NSTS 22206, Instructions For Preparation 
of FMEA/CIL , 10 October 1986 , were used with the following 
amplifications and additions. 

INTACT ABORT DEFINITIONS : 

RTLS - begins at transition to OPS 6 and ends at transition 
to OPS 9, post-flight 

TAL - begins at declaration of the abort and ends at 
transition to OPS 9, post-flight 

AOA - begins at declaration of the abort and ends at 
transition to OPS 9 ,, post-flight 

ATO - begins at declaration of the abort and ends at 
transition to OPS 9, post-flight 

CREDIBLE ( CAUSE ) - an event that can be predicted or expected in 
anticipated operational environmental conditions. Excludes an 
event where multiple failures must first occur to result in 
environmental extremes 

CONTINGENCY CREW PROCEDURES - procedures that are utilized beyond 
the standard malfunction procedures, pocket checklists, and cue 
cards 

EARLY MISSION TERMINATION - termination of onorbit phase prior to 
planned end of mission 

EFFECTS /RATIONALE - description of the case which generated the 
highest criticality 

HIGHEST CRITICALITY - the highest functional criticality 
determined in the phase-by-phase analysis 

MAJOR MODE (MM) - major sub-mode of software operational sequence 
(OPS) 

MC - Memory Configuration of Primary Avionics Software System 
(PASS) 

MISSION - assigned performance of a specific Orbiter flight with 
payload/objective accomplishments including orbit phasing and 
altitude (excludes secondary payloads such as GAS cans, 
middeck P/L, etc.) 


B-2 



MULTIPLE ORDER FAILURE - describes the failure due to a single 
cause or event of all units which perform a necessary (critical) 
function 

OFF-NOMINAL CREW PROCEDURES - procedures that are utilized beyond 
the standard malfunction procedures, pocket checklists, and cue 
cards 

OPS - software operational sequence 

PRIMARY MISSION OBJECTIVES - worst case primary mission objec- 
tives are equal to mission objectives 

PHASE DEFINITIONS: 

PRELAUNCH PHASE - begins at launch count-down Orbiter 
power-up and ends at moding to OPS Major Mode 102 (liftoff) 

LIFTOFF MISSION PHASE - begins at SRB ignition (MM 102) and 
ends at transition out of OPS 1 (Synonymous with ASCENT) 

QNORBIT PHASE - begins at transition to OPS 2 or OPS 8 and 
ends at transition out of OPS 2 or OPS 8 

DEORBIT PHASE - begins at transition to OPS Major Mode 
301 and ends at first main landing gear touchdown 

LANDING/SAFING PHASE - begins at first main gear 
touchdown and ends with the completion of post-landing 
safing operations 
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APPENDIX B 

DEFINITIONS , GROUND RULES, AND ASSUMPTIONS 


B . 2 IOA Project Level Ground Rules and Assumptions 

The philosophy embodied in NSTS 22206 , Instructions for 
Preparation of FMEA/CIL, 10 October 1986 , was employed with the 
following amplifications and additions. 


1 . The operational flight software is an accurate 
implementation of the Flight System Software Requirements 
( FSSRs ) . 

RATIONALE: Software verification is out-of-scope of 
this task. 

2. After liftoff, any parameter which is monitored by system 
management (SM) or which drives any part of the Caution and 
Warning System (C&W) will support passage of Redundancy 
Screen B for its corresponding hardware item. 

RATIONALE: Analysis of on-board parameter availability 
and/or the actual monitoring by the crew 
is beyond the scope of this task. 

3 . Any data employed with flight software is assumed to be 
functional for the specific vehicle and specific mission 
being flown. 

RATIONALE: Mission data verification is out-of-scope of 
this task. 

4. All hardware (including firmware) is manufactured and 
assembled to the design specifications/drawings. 

RATIONALE: Acceptance and verification testing is 

designed to detect and identify problems 
before the item is approved for use. 

5. All Flight Data File crew procedures will be assumed 
performed as written, and will not include human error in 
their performance. 

RATIONALE: Failures caused by human operational error 
are out-of-scope of this task. 
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6 . 


All hardware analyses will, as a minimum, be performed at 
the level of analysis existent within NASA/Prime Contractor 
Orbiter FMEA/CILs , and will be permitted to go to greater 
hardware detail levels but not lesser. 

RATIONALE: Comparison of IOA analysis results with 

other analyses requires that both analyses 
be performed to a comparable level of 
detail . 

7 . Verification that a telemetry parameter is actually 
monitored during AOS by ground-based personnel is not 
required. 

RATIONALE: Analysis of mission-dependent telemetry 

availability and/or the actual monitoring of 
applicable data by ground-based personnel is 
beyond the scope of this task. 

8. The determination of criticalities per phase is based on the 
worst case effect of a failure for the phase being analyzed. 
The failure can occur in the phase being analyzed or in 

any previous phase, whichever produces the worst case 
effects for the phase of interest. 

RATIONALE: Assigning phase criticalities ensures a 
thorough and complete analysis. 

9. Analysis of wire harnesses, cables, and electrical connectors 
to determine if FMEAs are warranted will not be performed 
nor FMEAs assessed. 

RATIONALE: Analysis was substantially complete prior 

to NSTS 22206 ground rule redirection. 

10. Analysis of welds or brazed joints that cannot be inspected 
will not be performed nor FMEAs assessed. 

RATIONALE: Analysis was substantially complete prior 

to NSTS 22206 ground rule redirection. 

11. Emergency system or hardware will include burst discs and 
will exclude the EMU Secondary Oxygen Pack (SOP), pressure 
relief valves and the landing gear pyrotechnics. 

RATIONALE: Clarify definition of emergency systems to 
ensure consistency throughout IOA project. 
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APPENDIX B 

DEFINITIONS, GROUND RULES, AND ASSUMPTIONS 


B . 3 EPG-Specific Ground Rules and Assumptions 

1 . Component age life will not be considered in the analysis. 

RATIONALE: Component age life analysis is beyond the 

scope of this task. 

2 . Cryogenic system pressure to the fuel cell will be assumed 
lost if unable to maintain minimum supply conditions of 100 
PSI for H2 and/or 02 tanks. 

RATIONALE: Minimum requirements definition. Flight 

rule definition. 

3. An 02 cryo tank will be assumed lost if both of its heaters 
fail to function (i.e., neither heater will function with 
the delta current sensors enabled). 


RATIONALE: Systems failure definition. Flight rule 

definition. 

4. An H2 cryo tank will be assumed lost if neither of its 
heaters will function. 

RATIONALE: Systems failure definition. Flight rule 

definition. 

5. An impending loss of all cryo 02 or all cryo H2 tanks will 
be cause to exercise the highest-priority abort mode the 
loss/leak will allow. 

RATIONALE: Flight rule definition. 

6. Continue nominal ascent if 2/3/4 02 (H2) tanks fail when 
flying 3/4/5. 

Enter next PLS daily go/no-go if two 02 (H2) tanks fail 
during lift-off and on-orbit. 

RATIONALE: Flight rules go/no-go criteria. 

7. Ascent abort decision will be needed for any EPG/PRSD/FCP 
problems that will not support four hours on-orbit plus 
entry time. 

RATIONALE: Flight operations rules. 
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8 . 


A fuel cell will be considered failed if the following 
conditions exist. 


9. 


10 . 


a. An abnormal or unexplained voltage versus current 
performance loss of >0.5 volts for a single FC based on 
predicted performance data. 

b. Coolant pump or H2 pump/H20 separator is lost. 

c. Fuel cell stack-coolant temperature >255 degrees 
(242.5) degrees F or <175 degrees (182.5) degrees F. 

d. Coolant pressure >75 (71.4) PSIA and increasing. 

e. Fuel cell unable to discharge water to the ECLSS H20 
storage tanks or overboard via the fuel cell H20 
relief system. 

f. Local KOH concentration >48 percent (45 percent) dry or 
<24 percent (29 percent) wet as indicated by fuel cell 
stack-coolant temperature, condenser exit temperature, 
and current relationship. 

g. Fuel cell reactant valve fails closed. 

h. Cannot be connected to a main bus. 

i. Fuel cell H20 pH high confirmed. 

j. Fuel cell 02 reaction chambers cannot be purged. 

k. Fuel cell end-cell heater failing on. 

l. Fuel cell substack delta volts >150 millivolts and 
increasing. 

RATIONALE: Systems failure definition. 

Loss of one fuel cell is considered cause for priority 
flight and abort decision. 

RATIONALE: Mission flight rule definition. 

Loss of two fuel cells is considered cause for abort 
mission. 

RATIONALE: Contingency action summary. Flight Rule 

definition. 
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11. Loss of three fuel cells is considered loss of life/vehicle 
in all mission phases. 

RATIONALE: Flight rule definition. 

12. Loss of two fuel cells in the first stage of ascent is 
considered loss of life/vehicle. 

RATIONALE: SRB loads are too high for one fuel cell to 

support. Voltage may go <25v which will 
shut down the GPCs . 

13. Although the ECLSS product-water storage is a separate 
system from EPG, it will be considered as a failable 
redundant product-water relief line for purposes of the EPG 
functional criticality scenarios. 

RATIONALE: This assumption violates general ground 

rule 3. 1.1. 6 but is essential for 
evaluating failures associated with the 
water relief line. 

14. Filter failure will only be considered in the case of total 
flow blockage. Cases of improper/insufficient filtering 
will not be considered except where obvious. 

RATIONALE: The effect of 'poor' filter performance on 

downstream components is beyond the scope 
of our efforts. 

15. The start/sustaining heater on the left-hand FCP (FCP #1) is 
assumed to be disconnected. Thus, this FCP cannot be 
maintained operational at no-load, and will be considered 
shutdown if the load cannot be maintained at greater than 2 
KW. 

RATIONALE: Load needed to maintain operating 

temperature. Right hand FCP uses 
sustaining heater to maintain temperature 
at no-load. 

16. For all "failed open" failure modes for valves which are 
normally open, redundancy screen B will be assumed failed. 

RATIONALE: The failure is not detectable until the valve 

is required to be closed. 
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17. Five 02 and H2 tanks are being used as the baseline 
configuration under study. 

RATIONALE: The configuration for all redundant components 

is being considered for this analysis. 

18. Inadvertant Fuel Cell shutdown during RTLS and TAL abort is 
considered loss of crew/vehicle . 

RATIONALE: Loss of FCP 1/Bus A is loss of OMS Engine 

Purge Capability (required for TAL) and Aft 
Compartment MPS Helium Purge Capability 
(required for RTLS and TAL). 
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APPENDIX C 
DETAILED ANALYSIS 


This section contains the IOA analysis worksheets generated 
during the analysis of this subsystem. The information on these 
worksheets is intentionally similar to the NASA FMEAs . Each of 
these sheets identifies the hardware item being analyzed, and 
parent assembly, as well as the function. For each failure mode, 
the possible causes are outlined, and the assessed hardware and 
functional criticality for each mission phase is listed, as 
described in the NSTS 22206 , Instructions for Preparation of FMEA 
and OIL, 10 October 1986 . Finally, effects are entered at the 
bottom of each sheet, and the worst case criticality is entered 
at the top. 


LEGEND FOR IOA ANALYSIS WORKSHEETS 


Hardware Criticalities: 

1 = Loss of life or vehicle 

2 = Loss of mission or next failure of any redundant item 

(like or unlike) could cause loss of life/vehicle 

3 = All others 

Functional Criticalities: 

1R = Redundant hardware items (like or unlike) all of which, 
if failed, could cause loss of life or vehicle. 

2R = Redundant hardware items (like or unlike) all of which, 
if failed, could cause loss of mission. 

Redundancy Screen A: 

1 = Is Checked Out PreFlight 

2 = Is Capable of Check Out PreFlight 

3 = Not Capable of Check Out PreFlight 
NA = Not Applicable 

Redundancy Screens B and C: 

P = Passed Screen 
F = Failed Screen 
NA = Not Applicable 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 

DATE: 11/03/86 HIGHEST CRITICALITY HDW/FUNC 

SUBSYSTEM: EPG FLIGHT: 2/1R 

MDAC ID: 101 ABORT: 1/1 

ITEM: FUEL CELL 

FAILURE MODE: LOSS ELECTRICAL CONTACT IN THE POWER SECTION 

LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) PSA 

4) 

5) 

6 ) 

7) 

8) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

1/1 

LIFTOFF: 

2/1R 

TAL: 

1/1 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C[P] 


LOCATION: MID-BODY 

PART NUMBER: MC4 64-0115 


CAUSES: MECHANICAL SHOCK, VIBRATION, CORROSION, THERMAL STRESS, 

FATIGUE 

EFFECTS/RATIONALE : 

LOSS OF ELECTRICAL CONTACT CAUSES INADVERTANT FUEL CELL SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 

DATE: 11/03/86 HIGHEST CRITICALITY HDW/FUNC 

SUBSYSTEM: EPG FLIGHT: 2/1R 

MDAC ID: 104 ABORT: 2/1R 

ITEM: END CELL HEATER 

FAILURE MODE: FAIL OFF 

LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) PSA 

4) 

5) 

6 ) 

7) 

8 ) 

8 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: ELECTRICAL FAILURE 

EFFECTS/RATIONALE: 

LOSS OF FUEL CELL THERMAL INSULATION IS CAUSED BY THE FAILED OFF 
END CELL HEATERS. DURING LIGHT ELECTRICAL LOADING OF THE FUEL 
CELL, THE LOSS OF THE FUEL CELL HEATER MAY CAUSE CELL FLOODING 
WHICH REQUIRES FCP SHUTDOWN. ELECTRICAL END CELL HEATERS ARE 
BEING REPLACED WITH HEATERS CONTROLLED BY THE COOLANT SYSTEM. 


REFERENCES : 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

105 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: END CELL HEATER 

FAILURE MODE: FAIL ON 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

PSA 

4) 


5) 


6) 


7) 


8) 


9) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: ELECTRICAL FAILURES 

EFFECTS /RATIONALE : 

ON ORBIT THE FUEL CELL WOULD HAVE TO BE SHUTDOWN WITH A FAILED ON 
END CELL HEATER. EXCESSIVE HEATING WILL DEGRADE CELL MATRIX OR 
SEALS AND ALLOW REACTANT CROSSOVER. 

WITH THE END CELL HEATERS FAILED ON THE FUEL CELL CAN OPERATE FOR 
51 MINUTES BEFORE THE CELL HAS TO BE SHUTDOWN. 


REFERENCES: 


REPORT DATE 11/24/86 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

106 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 1/1 

ABORT: 1/1 


ITEM: SEPARATOR PLATES/UEA 

FAILURE MODE: REACTANT LEAKAGE TO ORBITER (EXTERNAL LEAKAGE) 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) PSA 

4) 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

1/1 

RTLS: 

1/1 

LIFTOFF: 

1/1 

TAL: 

1/1 

ONORBIT: 

1/1 

AO A: 

1/1 

DEORBIT: 

LANDING/SAFING: 

1/1 

1/1 

ATO: 

1/1 

REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: SEAL FAILURE 


EFFECTS/RATIONALE : 

AN EXTERNAL REACTANT LEAK IN THE SEPARATOR PLATES CAN CAUSE A 
POTENTIAL EXPLOSION/FIRE. THE LEAKAGE IS DETECTABLE WITH HIGH 
REACTANT FLOW RATES. 


REFERENCES: 


REPORT DATE 11/24/86 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

107 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 1/1 

ABORT: 1/1 


ITEM: SEPARATOR PLATES/UEA 

FAILURE MODE: INTERNAL LEAKAGE 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) PSA 

4) 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

1/1 

RTLS: 

1/1 

LIFTOFF: 

1/1' 

TAL: 

1/1 

ONORBIT: 

1/1 

AO A: 

1/1 

DEORBIT: 

1/1 

ATO: 

1/1 

LANDING/SAFING: 

1/1 



REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: DEFECT IN ELECTROLYTE MATIRX; DEFECT IN SEAL/ SEPARATOR 

PLATE? EXCESSIVE REACTANT PRESSURE 

EFFECTS/RATIONALE : 

REACTANT CROSSOVER WITHIN THE SEPARATOR PLATES CAN CAUSE 
POTENTIAL EXPLOSION/FIRE HAZARD. THE REACTANT CROSSOVER IS 
DETECTABLE BY CELL PERFORMANCE MONITOR AND HIGH REACTANT FLOW 
RATES. 


REFERENCES : 


REPORT DATE 11/24/86 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

108 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: SEPARATOR PLATES 

FAILURE MODE: COOLANT LEAKAGE 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) PSA 

4) 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p ] 


LOCATION: MID-BODY 

PART NUMBER: MC4 64-0115 


CAUSES: SEAL FAILURE 

EFFECTS/RATIONALE : 

COOLANT LEAK WITHIN THE SEPARATOR PLATES WILL CONTAMINATE THE 
ELECTROLYTE AND DEGRADE FCP PERFORMANCE. IT COULD ALSO CAUSE 
LOSS OF TEMPERATURE CONTROL. EITHER CONDITION WILL REQUIRE FUEL 
CELL SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

11/03/86 


HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

EPG 


FLIGHT: 

2/1R 

MDAC ID: 

109 


ABORT: 

2/1R 

ITEM: 

SEPARATOR 

PLATES 



FAILURE MODE 

!: REACTANT 

BLOCKAGE (02 

INLET MANIFOLD) 


LEAD ANALYST 

: M. HIOTT 

SUBSYS 

LEAD: M. HIOTT 



BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) PSA 

4) 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R ‘ 

ONORBIT: 

2/1R 

AOA: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: CORROSION, CONTAMINATION 

EFFECTS/RATIONALE : 

IF THE OXYGEN INLET TO THE SEPARATOR PLATE IS BLOCKED, THEN HIGH 
HYDROGEN CONCENTRATION FORCES ELECTROLYTE OUT OF THE CELL MATRIX 
RESULTING IN PRODUCT WATER CONTAMINATION AND FCP DEGRADATION. 
WATER CONTAMINATION IS GROUND RULE FOR FCP SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

110 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: CELL PERFORMANCE MONITOR 

FAILURE MODE: ERRONEOUS OUTPUT 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) PSA 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P 3 

C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0015 


CAUSES: ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

ERRONEOUS OUTPUT WOULD CAUSE LOSS OF ABILITY TO MONITOR CELL 
PERFORMANCE AND CELL FAILURE. IF THE CPM IS LOST FOR ONE FUEL 
CELL, THE AFFECTED CELL CAN BE BUS TIED FOR PERFORMANCE 
MONITORING. IF ALL CPM'S ARE LOST, IT COULD BE CATASTROPHIC. 
REACTANT CROSSOVER, WHICH COULD RESULT IN AN EXPLOSION, WOULD BE 
UNDETECTABLE. 


REFERENCES: 


REPORT DATE 11/24/86 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

111 


HIGHEST CRITICALITY HDW/FXJNC 
FLIGHT: 2/1R 

ABORT: 1/1 


ITEM: INTEGRATED DUAL GAS REGULATOR 

FAILURE MODE: GROSS VENTING 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

RCS 

5) 


6) 


7) 


8) 


9) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

1/1 

LIFTOFF: 

2/1R 

TAL: 

1/1 

ONORBIT: 

2/1R 

AOA: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ p 3 

c [ p ] 


LOCATION: MID-BODY 

PART NUMBER: MC4 64-0115 


CAUSES: MECHANICAL SHOCK, VIBRATION, FATIGUE, CORROSION, 

CONTAMINATION 

EFFECTS/RATIONALE : 

GROSS VENTING ALLOWS REACTANTS TO VENT THROUGH THE PURGE/VENT 
LINE AT A FLOW RATE THAT PREVENTS REACTANT FLOW TO THE PSA. THIS 
WOULD CAUSE INADVERTANT FCP SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

112 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: INTEGRATED DUAL GAS REGULATOR 

FAILURE MODE: H2 OVERPRESSURE 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) RCS 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: MECANICAL SHOCK, VIBRATION, CORROSION, CONTAMINATION, 

PIECE PART STRUCTURAL FAILURE. 


EFFECTS/RATIONALE : 

HYDROGEN OVERPRESSURE WILL CAUSE ELETROLYTE DEPLETION, WATER 
CONTAMINATION AND CELL SEAL FAILURE. HYDROGEN OVERPRESSURIZATION 
WOULD BE CAUSE FOR FUEL CELL SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 

DATE: 10/01/86 HIGHEST CRITICALITY HDW/FUNC 

SUBSYSTEM: EPG FLIGHT: 2/1R 

MDAC ID: 113 ABORT: 1/1 

ITEM: INTEGRATED DUAL GAS REGULATOR 

FAILURE MODE: H2 STARVATION 

LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) RCS 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

1/1 

LIFTOFF: 

2/1R 

TAL: 

1/1 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p 3 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: MECHANICAL SHOCK, VIBRATION, CORROSION, CONTAMINATION, 

PIECE PART STRUCTURAL FAILURE 

EFFECTS/RATIONALE : 

HYDROGEN STARVATION CAUSES INADVERTANT FUEL CELL SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

114 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: INTEGRATED DUAL GAS REGULATOR 

FAILURE MODE: 02 OVERPRESSURE 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) RCS 

5) 

6 ) 

7) 

8 ) 

8 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ l 3 

B [ P ] 

c [ p ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: MECHANICAL SHOCK, VIBRATION, CONTAMINATION, CORROSION, 

PIECE PART STRUCTURAL FAILURE 

EFFECTS/RATIONALE : 

OXYGEN OVERPRESSURIZATION WILL CAUSE SEAL FAILURE AND OXYGEN 
LEAKAGE AND COOLANT OVERPRESSURE (THROUGH ACCUMULATOR). OXYGEN 
OVERPRESSURIZATION WOULD BE CAUSE FOR FUEL CELL SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 


C-15 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

115 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 1/1 


ITEM: INTEGRATED DUAL GAS REGULATOR 

FAILURE MODE: 02 STARVATION 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) RCS 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

1/1 

LIFTOFF: 

2/1R 

TAL: 

1/1 

ONORBIT: 

2/1R 

AOA: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 3 

B [ p 3 

c [ P 3 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 

CAUSES: MECHANICAL SHOCK, VIBRATION, CONTAMINATION, CORROSION, 

PIECE PART STRUCTURAL FAILURE 

EFFECTS/RATIONALE : 

OXYGEN STARVATION WILL CAUSE ELECTROLYTE DEPLETION WATER 
CONTAMINATION, AND SEAL FAILURE. REACTANT STARVATION CAUSES 
INADVERTANT FUEL CELL SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 


C-16 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

116 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: INTEGRATED DUAL GAS REGULATOR 

FAILURE MODE: PURGE FAILURE 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

RCS 

5) 


6) 


7) 


8) 


9) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ P 3 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 

CAUSES: ELECTRICAL FAILURE, MECHANICAL SHOCK, VIBRATION, 

CONTAMINATION, CORROSION, PIECE PART STRUCTURAL FAILURE 

EFFECTS/RATIONALE : 

PURGE FAILURE OF THE INTEGRATED DUAL GAS REGULATOR WILL DEGRADE 
THE FUEL CELL PERFORMANCE. AN ADDITIONAL FAILURE RESULTING IN 
THE NEED TO VENT WOULD CAUSE REACTANT OVERPRESSURE, WHICH 
REQUIRES FCP SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 


C-17 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

117 


HIGHEST CRITICALITY 
FLIGHT: 
ABORT: 


HDW/FUNC 

1/1 

1/1 


ITEM: H2/02 LINES AND FITTINGS AND ACCESSORY COMPONENTS 

FAILURE MODE: REACTANT LEAKAGE TO THE ORBITER (EXTERNAL LEAKAGE) 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) RCS 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

1/1 

RTLS: 

1/1 

LIFTOFF: 

1/1 

TAL: 

1/1 

ONORBIT: 

1/1 

AOA: 

1/1 

DEORBIT: 

1/1 

ATO: 

1/1 

LANDING/SAFING: 

1/1 



REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: VIBRATION, MECHANICAL SHOCK, CORROSION, CONTAMINATION, 

PIECE PART STRUCTURAL FAILURE 


EFFECTS/RATIONALE : 

AN EXTERNAL REACTANT LEAK AT THE COMPONENT CAN CAUSE A POTENTIAL 
EXPLOSION/FIRE. THE LEAKAGE IS DETECTABLE BY HIGH REACTANT FLOW 
RATES. 


REFERENCES : 


REPORT DATE 11/24/86 


C-18 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

118 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: 02/H2 PURGE-VENT LINES AND VENT NOZZLES 

FAILURE MODE: RESTRICTED FLOW 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

RCS 

5) 


6) 


7) 


8) 


9) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A[l] 

B [ P ] 

C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: V070-454720-003, V070-454720-004, V070-454210, V070- 

454211 

CAUSES: CONTAMINATION, FREEZING 

EFFECTS/RATIONALE : 

RESTRICTED FLOW WITHIN THE VENT LINES AND NOZZLES PREVENTS THE 
PURGE OF THE FUEL CELL POWERPLANTS (FCP) . THE INABILITY TO PURGE 
FCP*S WILL DEGRADE THEIR PERFORMANCE. AN ADDITIONAL FAILURE 
RESULTING IN THE NEED TO VENT COULD BE CATASTROPHIC. 

THIS WOULD CAUSE REACTANT OVERPRESSURE. THIS FAILURE WOULD BE 
DETECTED DURING PURGE ATTEMPTS AND BY H2/02 FLOWS AND PURGE LINE 
TEMPERATURE SENSORS. 


REFERENCES: 


REPORT DATE 11/24/86 


C-19 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

119 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: 02 PURGE LINE TEMPERATURE SENSOR 

FAILURE MODE: OPEN OR SHORT 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 


1 ) 

EPG 

2 ) 

FCP 

3 ) 

ASA 

4 ) 

RCS 

5 ) 


6 ) 


7 ) 


8 ) 


9 ) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

•LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AOA: 

3/3 

DEORBIT: 

3/3 

ATO: 

3/3 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA 3 


LOCATION: MID-BODY 

PART NUMBER: ME449-0160-0003 

CAUSES: VIBRATION, SHOCK, CORROSION, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

A FAILED TEMPERATURE SENSOR PREVENTS THE AUTO PURGE SEQUENCE BY 
INDICATING A CONSTANT LOW SCALE TEMPERATURE. MANUAL PURGE CAN BE 
PERFORMED. 


REFERENCES : 


REPORT DATE 11/24/86 


C-20 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10 / 01/86 

EPG 

120 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: 02 PURGE LINE TEMPERATURE SENSOR 

FAILURE MODE: OUT OF TOLERANCE 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) RCS 

5) 

6 ) 

7) 


V) 

9) 





CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AO A: 

3/3 

DEORBIT: 

3/3 

ATO: 

3/3 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: ME449-0160-0003 


CAUSES: VIBRATION, SHOCK, CORROSION, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

IF THE SENSOR INDICATES A HIGH TEMPERATURE, THEN THE PURGE VALVE 
COULD OPEN BEFORE THE OXYGEN LINE IS HEATED. THEREFORE, THE LINE 
COULD FREEZE WHICH COULD PREVENT PURGING. THE LOSS OF PURGING 
COULD CAUSE DEGRADED FUEL CELL PERFORMANCE. USE OF MANUAL 
HEATERS WOULD ALLEVIATE THE PROBLEM. 


REFERENCES : 


REPORT DATE 11/24/86 


C-21 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

121 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: H2 PURGE LINE TEMPERATURE SENSORS 1 & 2 

FAILURE MODE: OPEN OR SHORTED 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

RCS 

5) 


6) 


7) 


8) 


9) 



FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF: 
ONORBIT: 
DEORBIT: 
LANDING/SAFING: 


CRITICALITIES 


HDW/FUNC 

3/3 

3/3 

3/3 

3/3 

3/3 


ABORT 
RTLS: 
TAL: 
AO A: 
ATO: 


HDW/FUNC 

3/3 

3/3 

3/3 

3/3 


REDUNDANCY SCREENS: A [NA ] B [NA ] 


C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: ME449-0160-003 


CAUSES: VIBRATION, SHOCK, CORROSION, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

A FAILED TEMPERATURE SENSOR PREVENTS THE AUTO PURGE SEQUENCE BY 
INDICATING A CONSTANT LOW SCALE TEMPERATURE. MANUAL PURGE CAN BE 
PERFORMED. 


REFERENCES : 


REPORT DATE 11/24/86 


C-22 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

122 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: H2 PURGE LINE TEMP. SENSORS 1 & 2 

FAILURE MODE: OUT OF TOLERANCE 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

RCS 

5) 


6) 


7) 


8) 


9) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AO A: 

3/3 

DEORBIT: 

LANDING/SAFING: 

3/3 

3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA 3 


LOCATION: MID-BODY 

PART NUMBER: ME449-0160-003 


CAUSES: VIBRATION, SHOCK, CORROSION, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

IF THE SENSOR INDICATES A HIGH TEMPERTURE, THEN THE PURGE VALVE 
COULD OPEN BEFORE THE LINE IS HEATED. THIS COULD CAUSE THE LINE 
TO FREEZE. A FROZEN LINE COULD PREVENT A PURGE WHICH WOULD CAUSE 
PERFORMANCE OF THE FUEL CELL TO BE DEGRADED. USE OF MANUAL 
HEATERS WOULD ALLEVIATE THE PROBLEM. 


REFERENCES: 


REPORT DATE 11/24/86 


C-23 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

123 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: 02 PURGE LINE HEATERS (6) 

FAILURE MODE: FAIL OFF 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) RCS 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/1R 

AO A: 

3/3 

DEORBIT: 

3/3 

ATO: 

3/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: MC363-0038-0001, -0004 


CAUSES: VIBRATION, SHOCK, HUMIDITY, SWITCH FAILURE, SHORT 

CIRCUIT 


EFFECTS/RATIONALE: 

THE FAILURE OF THE GPC HEATER CIRCUITS HAS NO EFFECT ON THE 
SYSTEM BECAUSE OF REDUNDANT HEATER CIRCUITS. IF BOTH HEATER 
CIRCUITS FAILED, THE LINE COULD FREEZE AND PURGE CAPABILITY WOULD 
BE LOST. A FAILURE RESULTING IN THE NEED TO VENT COULD CAUSE 
OVERPRESSURI ZATION . 


REFERENCES : 


REPORT DATE 11/24/86 


C-24 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

124 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: 02 PURGE LINE HEATERS (6) 

FAILURE MODE: FAIL ON 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

RCS 

5) 


6) 


7) 


8) 


9) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AO A: 

3/3 

DEORBIT: 

LANDING/SAFING: 

3/3 

3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: MC363-0038-0001, -0004 


CAUSES: VIBRATION, SHOCK, HUMIDITY, SWITCH FAILURE, SHORT 

CIRCUIT 

EFFECTS/RATIONALE : 

A FAILED ON HEATER HAS NO MAJOR EFFECT ON THE FUEL CELL. 


REFERENCES : 


REPORT DATE 11/24/86 


C-25 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

125 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: H2 PURGE LINE HEATERS (6) AND NOZZLE HEATERS (2) 

FAILURE MODE: FAIL OFF 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) RCS 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/1R 

AO A: 

3/3 

DEORBIT: 

3/3 

ATO: 

3/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: MC363-0038-0003, -0004 


CAUSES: VIBRATION, SHOCK, HUMIDITY, SWITCH FAILURE, SHORT 

CIRCUIT 


EFFECTS/RATIONALE : 

THE FAILURE OF THE GPC HEATER CIRCUITS HAS NO EFFECT ON THE FUEL 
CELL BECAUSE OF REDUNDANT HEATERS. IF BOTH HEATER CIRCUITS FAIL, 
THE LINE COULD FREEZE AND PURGE CAPABILITY WOULD BE LOST. 

A FAILURE RESULTING IN THE NEED TO VENT COULD CAUSE 
OVERPRESSURIZATION . 


REFERENCES : 


REPORT DATE 11/24/86 


C-26 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

126 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: H2 PURGE LINE HEATERS (6) AND NOZZLE HEATERS (2) 

FAILURE MODE: FAIL ON 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

RCS 

5) 


6) 


7) 


8) 


9 ) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AOA: 

3/3 

DEORBIT: 

3/3 

ATO: 

3/3 

LANDING/SAFING: 

3/3 


REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: MC363-0038-0003, -0004 


CAUSES: VIBRATION, SHOCK, HUMIDITY, SWITCH FAILURE, SHORT 

CIRCUIT 

EFFECTS/RATIONALE : 

A FAILED ON HEATER HAS NO MAJOR EFFECT ON THE FUEL CELL. 


REFERENCES : 


REPORT DATE 11/24/86 


C-27 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/01/86 

EPG 

127 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: 02/H2 FLOWMETER 

FAILURE MODE: ZERO OUTPUT 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) RCS 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c C p ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: VIBRATION, SHOCK, CORROSION, ELETRICAL FAILURE 

EFFECTS/RATIONALE : 

IF A FLOWMETER MALFUNCTIONS, THEN LEAKING REACTANT WOULD BE 
UNDETECTABLE WHICH COULD POSSIBLY BE CATASTROPHIC. 


REFERENCES : 


REPORT DATE 11/24/86 


C-28 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

11/03/86 


HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

EPG 


FLIGHT: 

3/3 

MDAC ID: 

128 


ABORT: 

3/3 

ITEM: 

START-UP 

HEATER 



FAILURE MODE 

!: FAIL OFF 




LEAD ANALYST 

: M. HIOTT 

SUBSYS 

LEAD: M. HIOTT 



BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

TCS 

5) 


6) 


7) 


8) 


9) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AO A: 

3/3 

DEORBIT: 

LANDING/SAFING: 

3/3 

3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: VIBRATION, SHOCK, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

THE START/SUSTAINING HEATERS HAVE BEEN DISCONNECTED ON FCP1. 
FUEL CELL START-UP PROCESS WOULD TAKE LONGER AND WOULD POSSIBLY 
HAVE DEGRADED FUEL CELL PERFORMANCE DUE TO LOSS OF SUSTAINING 
HEATER THAT MAINTAINS COOLANT TEMPERATURE. 


REFERENCES: 


REPORT DATE 11/24/86 


C-29 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

129 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: START-UP HEATER 

FAILURE MODE: FAIL ON 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) TCS 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 

CAUSES: VIBRATION, SHOCK, ELECTRICAL FAILURE 


EFFECTS/RATIONALE : 

IF THE HEATER FAILS ON, THE FUEL CELL WOULD OVERHEAT WHICH COULD 
CAUSE EXCESSIVE KOH RELEASE AND ELECTROLYTE DRYOUT. ELECTROLYTE 
DRYOUT CAN LEAD TO CROSSOVER AND REQUIRES FCP SHUTDOWN. THE HEAT 
COULD CAUSE COOLANT TO DRYOUT OR CHAR. THIS COULD POSSIBLY LEAD 
TO COOLANT PUMP FAILURE DUE TO PLUGGING FROM COOLANT CHARRING BY- 
PRODUCT. THIS WOULD ALSO REQUIRE FUEL CELL SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 


C-30 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 
EP6 
13 0 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: H2/02 PREHEATER 

FAILURE MODE: RESTRICTED COOLANT FLOW 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) TCS 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AOA: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p 3 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: VIBRATION, MECHANICAL SHOCK 


EFFECTS/RATIONALE : 

LOSS OF COOLANT FLOW TO THE FCP WOULD REQUIRE THE FUEL CELL TO BE 
SHUTDOWN. THIS WOULD BE DETECTED BY THE COOLANT DELTA PRESSURE 
SWITCH. 


REFERENCES: 


REPORT DATE 11/24/86 


C-31 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 

DATE: 11/03/86 HIGHEST CRITICALITY HDW/FUNC 

SUBSYSTEM: EPG FLIGHT: 2/1R 

MDAC ID: 131 ABORT: 2/1R 

ITEM: H2/02 PREHEATER, PUMP, THERMAL CONTROL VALVE, 

CONDENSER, FILTERS, START/ SUSTAIN HEATER, ACCUMULATOR, FLEXIBLE 
INTERFACES, ECLSS HEAT EXCHANGERS 
FAILURE MODE: EXTERNAL LEAK OF TCS COOLANT 

LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) TCS 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A E 1 ] 

B [ P ] 

C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: VIBRATION, MECHANICAL SHOCK 

EFFECTS/RATIONALE : 

EXTERNAL LEAKAGE CAUSES A DECREASE IN COOLANT PRESSURE OF THE 
SYSTEM AND LOSS OF COOLANT FLOW TO THE FCP. THIS IS DETECTABLE 
BY THE COOLANT DELTA PRESSURE SWITCH. LOSS OF COOLANT WILL CAUSE 
FCP OVERHEATING AND POSSIBLE REACTANT CROSSOVER. THIS 
REQUIRES FCP SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 


C-32 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

11/03/86 


HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

EPG 


FLIGHT: 

2/1R 

MDAC ID: 

132 


ABORT: 

2/1R 

ITEM: 

COOLANT 

PUMP 



FAILURE MODE 

:: loss of 

OUTPUT 



LEAD ANALYST 

: M. HIOTT 

SUBSYS 

LEAD: M. HIOTT 



BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) TCS 

5) 

6 ) 

7) 

8) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p 3 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: CONTAMINATION, VIBRATION, CORROSION, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

COOLANT PUMP FAILURE WILL RESULT IN FCP OVERHEATING DUE TO 
INSUFFICIENT COOLANT FLOW. THIS MAY RESULT IN ELECTROLYTE DRYOUT 
WHICH COULD CAUSE REACTANT CROSSOVER. THIS REQUIRES FCP 
SHUTDOWN. 


REFERENCES: 


REPORT DATE 11/24/86 


C-33 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

133 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: COOLANT PRESSURE SWITCH 

FAILURE MODE: FAIL OPEN 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) TCS 

5) 

6) 

7) 

8) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AO A: 

3/3 

DEORBIT: 

LANDING/SAFING: 

3/3 

3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA 3 


LOCATION: MID-BODY 

PART NUMBER: MC4 64-0115 


CAUSES: PIECE PART FAILURE, SHOCK, VIBRATION 

EFFECTS/RATIONALE : 

THE PRESSURE TAB WILL NOT GO GRAY WHEN FUEL CELL START-UP IS 
PERFORMED OR IT WILL GO TO BARBER POLE, IF THE FCP IS ALREADY 
RUNNING. RELAY K9 WILL NOT CLOSE, WHICH WILL PREVENT START-UP 
HEATER FROM ACTIVATING AND THE FLOW CONTROL BY-PASS VALVE 
FROM ACTIVATING. IF START BUTTON IS RELEASED THE FUEL CELL WILL 
DO AN AUTOMATIC SHUTDOWN. NOTE: FUEL CELL CAN STILL BE STARTED 

IF THE START BUTTON IS HELD DOWN FOR AT LEAST 32 SECONDS. THIS 
ALLOWS ENOUGH TIME FOR THE TIMER MODULE TO CLOSE RELAY K10. 


REFERENCES : 


REPORT DATE 11/24/86 


C-34 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

134 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: STACK INLET TEMPERATURE SENSOR 

FAILURE MODE: FULL OUTPUT 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

TCS 

5) 


6) 


7) 


8) 


9) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

PRELAUNCH: 

3/3 

RTLS 

LIFTOFF: 

3/3 

TAL: 

ONORBIT: 

3/3 

AO A: 

DEORBIT: 

3/3 

ATO: 

LANDING/SAFING: 

3/3 



HDW/FUNC 

3/3 

3/3 

3/3 

3/3 


REDUNDANCY SCREENS: A [NA ] B [NA ] C [NA ] 

LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: VIBRATION, SHOCK, ELECTRICAL FAILURE 


EFFECTS/RATIONALE : 

DETECTS STACK INLET TEMPERATURE USED BY START-UP HEATER 
ELECTRONICS. FAILURE HIGH WOULD PREVENT HEATER OPERATION WHICH 
WOULD SLOW THE START-UP PROCESS. NOTE THAT THE START-UP HEATER 
IS DISCONNECTED ON FCP#1. 


REFERENCES : 


REPORT DATE 11/24/86 


C-35 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

11/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

EPG 

FLIGHT: 

3/1R 

MDAC ID: 

135 

ABORT: 

3/1R 

ITEM: 

STACK INLET 

TEMPERATURE SENSOR 


FAILURE MODE: LOW OUTPUT 

LEAD ANALYST: M. HIOTT 

SUBSYS LEAD: M. HIOTT 



BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) TCS 

5) 

6 ) 

7) 

8) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/SAFING: 

3/3 




REDUNDANCY SCREENS: A[l] B [ P ] C [ P ] 

LOCATION: MID-BODY 

PART NUMBER: MC464-0115 

CAUSES: VIBRATION, SHOCK, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

MEASURES THE TEMPERATURE OF COOLANT ENTERING STACK USED BY THE 
START-UP HEATER ELECTRONICS. FAILURE LOW WOULD LOSE ONE PATH FOR 
START-UP HEATER SHUTDOWN. REMAINING PATH IS STACK OUTLET 
TEMPERATURE SENSOR AND ELECTRONICS AND MANUAL SWITCHES. 

FAILURE OF REDUNDANT PATHS COULD CAUSE START-UP HEATER TO FAIL ON 
WHICH COULD REQUIRE FCP SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 


C-36 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

11/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

EPG 

FLIGHT: 

3/3 

MDAC ID: 

136 

ABORT: 

3/3 

ITEM: 

STACK OUTLET 

TEMPERATURE SENSOR 


FAILURE MODE 

!: FULL OUTPUT 



LEAD ANALYST 

: M. HIOTT 

SUBSYS LEAD: M. HIOTT 



BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

TCS 

5) 


6) 


7) 


8) 


9) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AO A: 

3/3 

DEORBIT: 

LANDING/SAFING: 

3/3 

3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: VIBRATION, SHOCK, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

MEASURES THE TEMPERATURE OF COOLANT EXITING THE STACK WHICH IS 
USED BY THE START-UP/ SUSTAINING HEATER ELETRONICS. FAILURE HIGH 
COULD PREVENT START-UP OR SUSTAINING HEATER OPERATION. START-UP 
HEATER FAILURE COULD SLOW THE FCP START-UP PROCESS. 

SUSTAINING HEATER FAILURE COULD DEGRADE THE FCP PERFORMANCE. 
NOTE: START-UP HEATER IS DISCONNECTED ON FCP#1. 


REFERENCES : 


REPORT DATE 11/24/86 


C-37 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

137 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: STACK OUTLET TEMPERATURE SENSOR 

FAILURE MODE: LOW OUTPUT 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) TCS 

5) 

6 ) 

7) 

8) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: VIBRATION, SHOCK, ELECTRICAL FAILURE 


EFFECTS/RATIONALE : 

MEASURES THE TEMPERATURE OF THE COOLANT EXITING THE STACK WHICH 
IS USED BY THE START-UP/ SUSTAINING HEATER ELECTRONICS. SENSOR 
FAILURE LOW COULD PREVENT START-UP OR SUSTAINING HEATER SHUTDOWN. 
THIS WOULD REQUIRE FCP SHUTDOWN. NOTE: START-UP HEATER IS 
DISCONNECTED ON FCP#1. 


REFERENCES : 


REPORT DATE 11/24/86 


C-38 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

11/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

EPG 

FLIGHT: 

2/1R 

MDAC ID: 

138 

ABORT: 

2/1R 

ITEM: 

WATER SEPARATOR PUMP 



FAILURE MODE 

: DEGRADED PERFORMANCE 



LEAD ANALYST 

: M. HIOTT SUBSYS 

LEAD: M. HIOTT 



BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7 ) 

8) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AOA: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 3 

B [ p 3 

c [ p 3 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: CONTAMINATION, STRUCTURAL PART FAILURE, ELECTRICAL 

FAILURE 

EFFECTS/RATIONALE : 

A FAILED OFF OR DEGRADED PERFORMANCE WATER SEPARATOR PUMP WILL 
FLOOD A FUEL CELL. THIS RESULTS IN DECREASED ELECTROLYTE 
CONCENTRATION AND REQUIRES FUEL CELL SHUTDOWN. AN ERRATIC PUMP 
MOTOR IS DETECTABLE BY ITS VOLTAGE AND CURRENT MEASUREMENTS, 
BECAUSE OF LIQUID GETTING INTO THE PUMP. A MOTOR FAILURE IS ALSO 
DETECTABLE BY A PH MEASUREMENT AND HIGH CONDENSER OUTLET 
TEMPERATURE. 


REFERENCES : 


REPORT DATE 11/24/86 


C-39 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

139 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 1/1 


ITEM: WATER SEPARATOR PUMP/WATER CONDENSATE TRAP 

FAILURE MODE: RESTRICTED FLOW 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

WRS 

5) 


6) 


7) 


8) 


9) 



FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF: 
ONORBIT: 
DEORBIT: 
LANDING/SAFING: 


CRITICALITIES 
HDW/FUNC ABORT 


3/3 

2/1R 

2/1R 

3/1R 

3/3 


RTLS: 
TAL: 
AO A: 
ATO: 


HDW/FUNC 

1/1 

1/1 

3/1R 

2/1R 


REDUNDANCY SCREENS: A [ 1 ] B [ P ] 


C[P] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: CONTAMINATION 

EFFECTS/RATIONALE : 

RESTRICTED HYDROGEN FLOW FROM THE WATER SEPARATOR PUMP CAUSES 
REACTANT STARVATION AND INADVERTANT FUEL CELL SHUTDOWN. LOSS OF 
A SINGLE FUEL CELL REQUIRES PRIORITY MISSION AND/OR ABORT 
DECISION. 


REFERENCES : 


REPORT DATE 11/24/86 


C-40 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

141 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: THERMAL CONTROL VALVE 

FAILURE MODE: ERRONEOUS OUTPUT 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) TCS 

5 ) 

6) 

7 ) 

8) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/ SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: FATIGUE, MECHANICAL SHOCK, ELECTRICAL FAILURE, BINDING 

EFFECTS/RATIONALE : 

ERRONEOUS OUTPUT COULD CAUSE ELECTROLYTE DRY OUT. THE CONDENSER 
WOULD CONDENSE TOO MUCH WATER. THIS CONDITION CAN LEAD TO 
REACTANT CROSSOVER AND EXPLOSION. IF THE REVERSE FAILURE OCCURS, 
FUEL CELL FLOODING COULD OCCUR. 

COOLANT TEMPERATURE WOULD NOT BE SUFFICIENT FOR CONDENSING WATER. 
EITHER FAILURE REQUIRES FUEL CELL SHUTDOWN. 


REFERENCES : 


REPORT DATE 12/04/86 


C-42 


PRECEDING PAGE BLANK NOT FILMED 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

142 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: WATER DISCHARGE VALVE 

FAILURE MODE: FAIL CLOSED 


LEAD ANALYST: M. HIOTT 


SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7) 

8) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: VIBRATION, MECHANICAL SHOCK, CORROSION, ELECTRICAL 

FAILURE 


EFFECTS/RATIONALE : 

A FAILED CLOSED WATER DISCHARGE VALVE WILL CAUSE FUEL CELL 
FLOODING FROM WATER BUILD UP. FLOODING OF THE FUEL CELL REQUIRES 
SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 


C-43 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

143 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: H20 DISCHARGE LINE 

FAILURE MODE: RESTRICTED FLOW 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

2/1R 

TAL: 

3/1R 

ONORBIT: 

2/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ P ] 


LOCATION: MID-BODY 

PART NUMBER: MC363-0038-0006 


CAUSES: CONTAMINATION, CORROSION, FROZEN WATER 

EFFECTS/RATIONALE : 

RESTRICTED FLOW CAUSES FUEL CELL FLOODING AND SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 


C-44 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

144 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: PH WATER SENSOR 

FAILURE MODE: ERRONEOUS OUTPUT 


LEAD ANALYST: M. HIOTT 


SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

WRS 

5) 


6) 


7) 


8) 


8) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AO A: 

. 3/3 

DEORBIT: 

3/3 

ATO: 

3/3 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: MC464-0115 


CAUSES: VIBRATION, SHOCK, CORROSION, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

IF THE PH SENSOR FAILS TO WORK, THE PH CAN BE TESTED MANUALLY. 


REFERENCES : 


REPORT DATE 11/24/86 


C-45 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

145 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: PRODUCT WATER LINE TEMPERATURE SENSOR 

FAILURE MODE: ERRONEOUS OUTPUT 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

WRS 

5) 


6) 


7) 


8) 


9) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AO A: 

3/3 

DEORBIT: 

3/3 

ATO: 

3/3 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA 3 

LOCATION: MID-BODY 

PART NUMBER: ME449-0160-003 




CAUSES: VIBRATION, SHOCK, CORROSION, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

A FAILED TEMPERATURE SENSOR CAUSES LOSS OF MEASUREMENT. A FAILED 
TEMPERATURE SENSOR CAN BE DETECTED BY SWITCHING TO THE STANDBY 
HEATERS AND CHECKING THE MEASUREMENT TO SEE IF IT STABILIZES. IF 
THE MEASUREMENT STABILIZES, THIS WOULD INDICATE THAT A FAILED 
HEATER WAS CAUSING THE PROBLEM. 


REFERENCES : 


REPORT DATE 11/24/86 


C-46 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

146 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: PRODUCT WATER LINE HEATER (A&B) 

FAILURE MODE: FAILED ON 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

WRS 

5) 


6) 


7) 


8) 


8) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AOA: 

3/3 

DEORBIT: 

3/3 

ATO: 

3/3 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: MC363-0038-0006 


CAUSES: VIBRATION, SHOCK, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

FAILED ON LINE HEATERS HAVE NO EFFECT ON THE CREW OR MISSION. 


REFERENCES : 


REPORT DATE 11/24/86 


C-47 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATES 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

147 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: PRODUCT WATER LINE HEATER (A&B) 

FAILURE MODE: FAIL OFF 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

WRS 

5) 


6) 


7) 


8) 


9) 



HIERARCHY: 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

PRELAUNCH: 

3/3 

RTLS 

LIFTOFF: 

3/3 

TAL: 

ONORBIT: 

3/3 

AO A: 

DEORBIT: 

3/3 

ATO: 

LANDING/SAFING: 

3/3 



HDW/FUNC 

3/3 

3/3 

3/3 

3/3 


REDUNDANCY SCREENS: A [NA ] 


B [NA ] C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: MC3 63-0038-0006 


CAUSES: VIBRATION, SHOCK, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

THE PRODUCT WATER LINE HEATERS ARE USED DURING START-UP. DURING 
NORMAL MISSIONS, THE HEATERS ARE NOT INITIATED, NOR IS THE FUEL 
CELL STOPPED AND RESTARTED. 


REFERENCES : 


REPORT DATE 11/24/86 


C-48 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

148 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: PRODUCT WATER LINE 

FAILURE MODE: RESTRICTED FLOW (EXTERNAL LEAKAGE) 

LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/3 

RTLS: 

2/1R 

LIFTOFF: 

2/1R 

TAL: 

2/1R 

ONORBIT: 

2/1R 

AO A: 

2/1R 

DEORBIT: 

2/1R 

ATO: 

2/1R 

LANDING/SAFING: 
REDUNDANCY SCREENS: 

3/3 

A [ 1 ] 

B [ P 3 

C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: VO70-454110-124 


CAUSES: CONTAMINATION, FROZEN 

EFFECTS/RATIONALE : 

RESTRICTED FLOW WITHIN THE PRODUCT WATER LINE WOULD RESULT IN NO 
PRODUCT WATER TO THE ECLSS. IF THE WATER RELIEF LINE ALSO 
BECOMES BLOCKED, THEN ALL OF THE FUEL CELLS WOULD FLOOD. THIS 
MEANS YOU ARE ONE FAILURE AWAY FROM LOSS OF CREW/VEHICLE. 


REFERENCES : 


REPORT DATE 12/03/86 


C- 49 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

149 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: 3/2R 


ITEM: WATER SUPPLY CHECK VALVE 

FAILURE MODE: EXTERNAL LEAKAGE 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7) 

8) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/2R 

TAL: 

3/3 

ONORBIT: 

3/2R 

AOA: 

3/3 

DEORBIT: 

3/3 

ATO: 

3/2R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P 3 

C [ F 3 


LOCATION: MID-BODY 

PART NUMBER: ME284-0475-0001 


CAUSES: VIBRATION, SHOCK, CORROSION, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

AN EXTERNAL LEAK AT THE WATER SUPPLY CHECK VALVE CAUSES LOSS OF 
PRODUCT WATER FROM THE FUEL CELL TO THE ECLSS. LOSS OF ALL 
PRODUCT WATER MEANS MISSION TERMINATION DUE TO INSUFFICIENT 
POTABLE WATER. LEAKAGE OF THE CHECK VALVE IN THE WATER RELIEF 
PANEL ASSEMBLY CAN CAUSE FREEZING OF ALL FUEL CELL WATER LINES. 
THIS WOULD RESULT IN FLOODING OF ALL FUEL CELLS. 


REFERENCES : 


REPORT DATE 11/24/86 


C-50 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

150 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: WATER SUPPLY CHECK VALVE 

FAILURE MODE: FAIL CLOSED 

LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: ME284-0475-0001 


CAUSES: VIBRATION, MECHANICAL SHOCK 

EFFECTS/RATIONALE : 

FAILURE OF THE CHECK VALVE WOULD NOT BE CRITICAL UNLESS THE 
RELIEF VALVE ALSO FAILED CLOSED. THIS WOULD CAUSE THE FUEL CELL 
TO OVERPRESSURE AND FLOOD. 


REFERENCES : 


REPORT DATE 11/24/86 


C-51 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

151 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: 3/2R 


ITEM: WATER SUPPLY CHECK VALVE 

FAILURE MODE: FAILS TO CHECK 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/2R 

AO A: 

3/3 

DEORBIT: 

3/3 

ATO: 

3/2R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ F ] 

c [ p ] 


LOCATION: MID-BODY 

PART NUMBER: ME284-0475-0001 


CAUSES: CONTAMINATION, FROZEN 

EFFECTS/RATIONALE : 

FAILURE OF A SINGLE CHECK VALVE TO CHECK PROPERLY MAY ALLOW ALL 
FUEL CELLS TO VENT WATER THROUGH A SINGLE WATER RELIEF VALVE. 

THE FIRST FAILURE WOULD BE A WATER RELIEF VALVE FAILED OPEN. THE 
SECOND FAILURE WOULD BE THE CHECK VALVE FOR THE SAME FUEL CELL 
FAILING TO CHECK. THIS COULD CAUSE MISSION TERMINATION DUE TO 
LOSS OF ALL POTABLE WATER. 


REFERENCES : 


REPORT DATE 11/24/86 


C-52 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

152 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: 3/2R 


ITEM: WATER RELIEF VALVE 

FAILURE MODE: EXTERNAL LEAKAGE 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/2R 

TAL: 

3/3 

ONORBIT: 

3/2R 

AOA: 

3/3 

DEORBIT: 

3/3 

ATO: 

3/2R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ p 3 

C [ F 3 


LOCATION: MID-BODY 

PART NUMBER: MC284-0431-0001 


CAUSES: VIBRATION, SHOCK, CORROSION, ELECTRICAL FAILURE 


EFFECTS/RATIONALE : 

AN EXTERNAL LEAK AT THE WATER RELIEF VALVE CAUSES LOSS OF PRODUCT 
WATER FROM THE FUEL CELL TO THE ECLSS. LOSS OF ALL PRODUCT WATER 
MEANS MISSION TERMINATION DUE TO INSUFFICIENT POTABLE WATER. 
LEAKAGE OF THE RELIEF VALVE IN THE WATER RELIEF PANEL ASSEMBLY 
CAN CAUSE FREEZING OF ALL FUEL CELL WATER LINES. THIS WOULD 
RESULT IN FLOODING OF ALL FUEL CELLS. 


REFERENCES : 


REPORT DATE 11/24/86 


C-53 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

153 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: 3/2R 


ITEM: WATER RELIEF VALVE 

FAILURE MODE: FAILS OPEN 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/2R 

AOA: 

3/3 

DEORBIT: 

3/3 

ATO: 

3/2R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p ] 


LOCATION: MID-BODY 

PART NUMBER: MC284-0431-0001 


CAUSES: VIBRATION, SHOCK, CORROSION, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

A FAILED OPEN WATER RELIEF VALVE CAUSES LOSS OF THE PRODUCT WATER 
FROM THE ONE FUEL CELL TO THE ECLSS. LOSS OF ALL PRODUCT WATER 
COULD OCCUR WITH A SECOND FAILURE: THE WATER RELIEF CHECK VALVE 
STUCK OPEN (FAILS TO CHECK) COULD ALLOW ALL PRODUCT WATER 
FROM ALL FCP'S TO VENT THROUGH THE SINGLE OPEN VALVE. 


REFERENCES: 


REPORT DATE 11/24/86 


C-54 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

154 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: WATER RELIEF VALVE 

FAILURE MODE: FAILS CLOSED 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/S AFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [NA ] 

c [ P ] 


LOCATION: MID-BODY 

PART NUMBER: MC284-0431-0001 


CAUSES: VIBRATION, SHOCK, CORROSION, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

LOSS OF RELIEF VALVE CAUSES NO MAJOR IMPACT, BUT IF A BLOCKAGE 
OCCURS WITHIN THE ECLSS PRODUCT WATER LINE, THEN FUEL CELL WOULD 
FLOOD WHICH IS A GROUND RULE FOR FCP SHUTDOWN. 


REFERENCES : 


REPORT DATE 11/24/86 


C-55 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 

DATE: 11/03/86 HIGHEST CRITICALITY HDW/FUNC 

SUBSYSTEM: EPG FLIGHT: 3/1R 

MDAC ID: 155 ABORT: 3/1R 

ITEM: WATER RELIEF VALVE HEATER (A&B) 

FAILURE MODE: FAIL OFF 

LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4 ) WRS 

5) 

6 ) 

7) 

8) 

9) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B C P 3 

c [ p ] 


LOCATION: MID-BODY 

PART NUMBER: MC363-0038-0014 


CAUSES: VIBRATION, SHOCK, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

FAILED OFF HEATERS COULD CAUSE WATER TO FREEZE IN VALVE AND BLOCK 
THE RELIEF LINE. THIS FAILURE COULD CAUSE LOSS OF A FCP, IF THE 
WATER NEEDS TO BE VENTED. REDUNDANT HEATERS MUST FAIL FOR THIS 
TO OCCUR. 


REFERENCES : 


REPORT DATE 11/24/86 


C-56 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 

DATE: 11/03/86 HIGHEST CRITICALITY HDW/FUNC 

SUBSYSTEM: EPG FLIGHT: 3/3 

MDAC ID: 156 ABORT: 3/3 

ITEM: WATER RELIEF VALVE HEATER A&B 

FAILURE MODE: FAIL ON 

LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7) 

8) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AO A: 

3/3 

DEORBIT: 

LANDING/SAFING: 

3/3 

3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: MC363-0038-0014 


CAUSES: VIBRATION, SHOCK, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

FAILED ON HEATERS HAVE NO EFFECT ON THE FUEL CELL OR 
MISSION/CREW. 


REFERENCES : 


REPORT DATE 11/24/86 


C-57 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

157 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: WATER RELIEF VALVE TEMPERATURE SENSOR 

FAILURE MODE: ERRONEOUS OUTPUT 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

WRS 

5) 


6) 


7) 


8) 


9) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AO A: 

3/3 

DEORBIT: 

LANDING/SAFING: 

3/3 

3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA ] 


LOCATION: MID-BODY 

PART NUMBER: ME449-0160-0003 


CAUSES: VIBRATION, SHOCK, CORROSION, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

A FAILED TEMPERATURE SENSOR CAUSES LOSS OF MEASUREMENT. A FAILED 
TEMPERATURE SENSOR CAN BE DETECTED BY SWITCHING TO THE STANDBY 
HEATERS AND CHECKING THE MEASUREMENT TO SEE IF IT STABILIZES. 

IF THE MEASUREMENT STABILIZES, THIS WOULD INDICATE THAT A FAILED 
HEATER WAS CAUSING THE PROBLEM. 


REFERENCES: 


REPORT DATE 11/24/86 


C-58 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

158 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: WATER RELIEF LINE TEMPERATURE SENSOR 

FAILURE MODE: ERRONEOUS OUTPUT 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6) 

7) 


HDW/FUNC 

3/3 

3/3 

3/3 

3/3 


C [NA ] 

LOCATION: MID-BODY 

PART NUMBER: ME449-0160-0003 


8) 

9) 


CRITICALITIES 


FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF: 
ONORBIT: 
DEORBIT: 
LANDING/SAFING: 


HDW/FUNC 

3/3 

3/3 

3/3 

3/3 

3/3 


ABORT 
RTLS: 
TAL: 
AO A: 
ATO: 


REDUNDANCY SCREENS: A [NA ] 


B [NA ] 


CAUSES: VIBRATION, CORROSION, ELECTRICAL FAILURE 


EFFECTS/RATIONALE : 

A FAILED TEMPERATURE SENSOR IS LOSS OF MEASUREMENT ONLY. (THE 
LINE HEATERS ARE CONTROLLED BY THERMOSTATS.) INSTRUMENT LOSS 
CAN BE CHECKED BY SWITCHING TO A REDUNDANT HEATER TO SEE IF THAT 
STABILIZES THE LINE TEMPERATURE. 


REFERENCES : 


REPORT DATE 11/24/86 


C-59 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

159 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: WATER RELIEF (VENT) LINE 

FAILURE MODE: RESTRICTED FLOW 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

2/1R 

LIFTOFF: 

2/1R 

TAL: 

2/1R 

ONORBIT: 

2/1R 

AO A: 

2/1R 

DEORBIT: 

2/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [NA ] 

C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: V070-454110 


CAUSES: CONTAMINATION, FREEZE-UP 

EFFECTS/RATIONALE: 

RESTRICTED FLOW WITHIN THE WATER RELIEF (VENT) LINE WOULD LOSE 
THE RELIEF FUNCTION FOR ALL CELLS. ADDITIONALLY, IF THE PRODUCT 
WATER LINE PLUGGED UP, THEN ALL THE FUEL CELLS WOULD FLOOD. 

THUS, WITH THE WATER RELIEF LINE PLUGGED, THERE IS ONLY ONE PATH 
(PRODUCT WATER LINE) REMAINING BEFORE LOSS OF LIFE/VEHICLE. 


REFERENCES : 


REPORT DATE 11/24/86 


C-60 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

160 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: WATER VENT LINE HEATER A&B AND BARREL HEATER A&B 

FAILURE MODE: FAIL OFF 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6) 

7) 

8) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/SAFING: 
REDUNDANCY SCREENS: 

3/3 

A [ 1 ] 

B C P ] 

C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: MC363-0038-0014 


CAUSES: VIBRATION, MECHANICAL SHOCK, ELECTRICAL FAILURE 


EFFECTS/RATIONALE : 

THE FIRST HEATER LOSS HAS NO EFFECT ON THE WATER VENT LINE 
BECAUSE OF REDUNDANT HEATERS. THE LOSS OF REDUNDANT HEATERS MAY 
CAUSE THE VENT LINE TO FREEZE. THIS FAILURE WOULD NOT BE A 
PROBLEM UNLESS THE ECLSS LINE IS ALSO BLOCKED, WHICH CAN CAUSE 
FUEL CELL FLOODING. 


REFERENCES : 


REPORT DATE 11/24/86 


C-61 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

161 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: WATER VENT LINE HEATER A&B AND BARREL HEATER A&B 

FAILURE MODE: FAILED ON 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

WRS 

5) 


6) 


7) 


8) 


8) 



CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AO A: 

3/3 

DEORBIT: 

LANDING/SAFING: 

3/3 

3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA 3 


LOCATION: MID-BODY 

PART NUMBER: MC3 63-0038-0014 


CAUSES: VIBRATION, SHOCK, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

FAILED ON HEATERS HAVE NO EFFECT ON THE CREW OR MISSION. 


REFERENCES : 


REPORT DATE 11/24/86 


C-62 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 

DATE: 11/03/86 HIGHEST CRITICALITY HDW/FUNC 

SUBSYSTEM: EPG FLIGHT: 3/3 

MDAC ID: 162 ABORT: 3/3 

ITEM: WATER NOZZLE HEATER (A&B) 

FAILURE MODE: FAIL ON 

LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AOA: 

.3/3 

DEORBIT: 

3/3 

ATO; 

3/3 

LANDING/SAFING: 

3/3 



REDUNDANCY SCREENS: 

A [NA ] 

B [NA ] 

C [NA 3 


LOCATION: MID-BODY 

PART NUMBER: ME3 63-0042-0003 


CAUSES: VIBRATION, SHOCK, ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

NOZZLE HEATER A IS DISCONNECTED, THEREFORE, THE HEATER ELEMENT IS 
NOT REDUNDANT. A FAILED ON NOZZLE HEATER HAS NO EFFECT ON THE 
FUEL CELL. 


REFERENCES: 


REPORT DATE 11/24/86 


C-63 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

163 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: WATER NOZZLE HEATER (A&B) 

FAILURE MODE: FAIL OFF 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 

BREAKDOWN HIERARCHY: 

1) EPG 

2) FCP 

3) ASA 

4) WRS 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

2/1R 

LIFTOFF: 

2/1R 

TAL: 

2/1R 

ONORBIT: 

2/1R 

AO A: 

2/1R 

DEORBIT: 

2/1R 

ATO: 

2/1R 

LANDING/SAFING: 

3/3 


REDUNDANCY SCREENS: 

A C 1 ] 

B [ P ] 

C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: ME363-0042-0003 


CAUSES: VIBRATION, MECHANICAL SHOCK, ELECTRICAL FAILURE 


EFFECTS/RATIONALE: 

IF THE WATER IN THE NOZZLE FREEZES, THE WATER RELIEF FUNCTION IS 
LOST. ADDITIONALLY, IF THE PRODUCT WATER LINE IS BLOCKED, ALL 
THE FUEL CELLS WILL FLOOD. NOZZLE HEATER A IS DISCONNECTED; 
THEREFORE, THE HEATER ELEMENT IS NOT REDUNDANT. HOWEVER, FOR THE 
NEXT FLIGHT THE HEATER WILL BE FUNCTIONAL. 


REFERENCES: 


REPORT DATE 11/24/86 


C-64 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

164 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: WATER RELIEF NOZZLE TEMPERATURE SENSOR 

FAILURE MODE: ERRONEOUS OUTPUT 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

WRS 

5) 


6) 


7 ) 


8) 


9) 



FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF: 
ONORBIT: 
DEORBIT: 
LANDING/SAFING: 


CRITICALITIES 


HDW/FUNC 

3/3 

3/3 

2/1R 

2/1R 

3/3 


ABORT 

RTLS: 

TAL: 

AOA:' 

ATO: 


HDW/FUNC 

3/3 

3/3 

2/1R 

2/1R 


REDUNDANCY SCREENS: A [ 1 ] B [ P ] 


C [ P ] 


LOCATION: MID-BODY 

PART NUMBER: K-SS4-U-T1-6CNX 


CAUSES: VIBRATION, SHOCK, CORROSION, ELECTRICAL FAILURE 


EFFECTS/RATIONALE : 

AN ERRONEOUS OUTPUT FROM THE WATER RELIEF NOZZLE TEMPERATURE 
SENSOR COULD PREVENT THE NOZZLE HEATER FROM WORKING. IF THE 
HEATER IS NONFUNCTIONAL, THE NOZZLE WOULD FREEZE. IF THE PRODUCT 
WATER LINE IS BLOCKED, ALL THE FUEL CELLS WILL FLOOD. 

WITH THE RELIEF NOZZLE BLOCKED, ONLY ONE PATH (PRODUCT WATER 
LINE) REMAINS OPEN BEFORE LOSS OF ALL FCP'S. 


REFERENCES : 


REPORT DATE 11/24/86 


C-65 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


11/03/86 

EPG 

165 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: WATER NOZZLE 

FAILURE MODE: RESTRICTED FLOW 


LEAD ANALYST: M. HIOTT SUBSYS LEAD: M. HIOTT 


BREAKDOWN HIERARCHY: 


1) 

EPG 

2) 

FCP 

3) 

ASA 

4) 

WRS 

5) 


6) 


7) 


8) 


9) 



FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF: 
ONORBIT: 
DEORBIT: 
LANDING/SAFING: 


CRITICALITIES 
HDW/FUNC ABORT 


3/3 

2/1R 

2/1R 

2/1R 

3/3 


RTLS: 
TAL: 
AO A: 
ATO: 


HDW/FUNC 

3/3 

3/3 

2/1R 

2/1R 


REDUNDANCY SCREENS: A [ 1 ] B [NA ] 


C [ P 3 


LOCATION: MID-BODY 

PART NUMBER: ME363-0042-0003 


CAUSES: CONTAMINATION 


EFFECTS/RATIONALE : 

IF THE WATER NOZZLE BECOMES BLOCKED, THE WATER RELIEF FUNCTION IS 
LOST. WITH THE WATER NOZZLE BLOCKED, ONLY THE WATER LINE REMAINS 
OPERATIONAL BEFORE LOSS OF ALL FCP'S DUE TO FLOODING. 


REFERENCES: 


REPORT DATE 11/24/86 


C-66 



APENDIX D 

POTENTIAL CRITICAL ITEMS 


MDAC-ID 

ITEM 

FAILURE MODE 

101 

Fuel Cell 

Loss electrical contact in 
power section 

104 

End Cell Heater 

Fail off 

105 

End Cell Heater 

Fail on 

106 

Separator Plates/UEA 

Reactant leakage to Orbiter 
(external leakage) 

107 

Separator Plates/UEA 

Internal leakage 

108 

Separator Plates 

Coolant leakage 

109 

Separator Plates 

Reactant Blockage 

111 

Integrated Dual Gas 



Regulator 

Gross Venting 

112 

Integrated Dual Gas 



Regulator 

H2 overpressure 

113 

Integrated Dual Gas 



Regulator 

H2 starvation 

114 

Integrated Dual Gas 



Regulator 

02 overpressure 

115 

Integrated Dual Gas 



Regulator 

02 starvation 

116 

Integrated Dual Gas 



Regulator 

Purge failure 

117 

H2/02 Lines and Fittings 

Reactant leakage to Orbiter 


and Accessory Components 

(external leakage) 

118 

02/H2 Purge-Vent Lines 



and Vent Nozzles 

Restricted flow 

129 

Start-Up Heater 

Fail on 

130 

H2/02 Preheater 

Restricted coolant flow 

131 

H2/02 Preheater, Pump, 
Thermal Control Valve, 
Condenser, Filters, 
Start/Sustain Heater, 
Accumulator, Flexible 
Interface, ECLSS Heat 



Exchanger 

External leak of TCS coolant 

132 

Coolant Pump 

Loss of output 

138 

Water Separator Pump 

Degraded performance 

139 

Water Separator Pump/ 



Water Condensate Trap 

Restricted flow 

141 

Thermal Control Valve 

Erroneous Output 

142 

Water Discharge Valve 

Fail closed 

143 

H20 Discharge 

Restricted flow 

148 

Product Water Line 

Restricted flow 

149 

Water Supply Check Valve 

External leakage 

151 

Water Supply Check Valve 

Fails to check 

152 

Water Relief Valve 

External leakage 


D-l 



MDAC-ID 

ITEM 



FAILURE MODE 

159 

Water 

Line 

Relief 

(Vent ) 

Restricted 

flow 

163 

Water 
( A&B ) 

Nozzle 

Heater 

Fail off 


164 

Water 

Relief 

Nozzle 




Temperature Output 

Erroneous 

output 

165 

Water 

Nozzle 


Restricted 

flow 


D-2 



